CVE-2024-23647 - OpenCVE

Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Goauthentik	Authentik

Configuration 1 [-]

OR	cpe:2.3:a:goauthentik:authentik::::::::
	cpe:2.3:a:goauthentik:authentik::::::::

No data.

References

Link	Providers
https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a
https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-30T16:10:55.999Z

Updated: 2024-08-01T23:06:25.351Z

Reserved: 2024-01-19T00:18:53.234Z

Link: CVE-2024-23647

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-30T17:15:10.913

Modified: 2024-02-06T18:22:58.250

Link: CVE-2024-23647

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23647", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-19T00:18:53.234Z", "datePublished": "2024-01-30T16:10:55.999Z", "dateUpdated": "2024-08-01T23:06:25.351Z"}, "containers": {"cna": {"title": "PKCE downgrade attack in Authentik", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj"}, {"name": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a", "tags": ["x_refsource_MISC"], "url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a"}], "affected": [{"vendor": "goauthentik", "product": "authentik", "versions": [{"version": "< 2023.8.7", "status": "affected"}, {"version": ">= 2023.10.0, < 2023.10.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-30T16:10:55.999Z"}, "descriptions": [{"lang": "en", "value": "Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue."}], "source": {"advisory": "GHSA-mrx3-gxjx-hjqj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:25.351Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj"}, {"name": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "matchCriteriaId": "026E19BC-D2BB-4B89-916F-565B498F0C87", "versionEndExcluding": "2023.8.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E579B4B-ACB8-4917-915B-D0FB5FC17F64", "versionEndExcluding": "2023.10.7", "versionStartIncluding": "2023.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue."}, {"lang": "es", "value": "Authentik es un proveedor de identidades de c\u00f3digo abierto. Hay un error en nuestra implementaci\u00f3n de PKCE que permite a un atacante eludir la protecci\u00f3n que ofrece PKCE. PKCE agrega el par\u00e1metro code_challenge a la solicitud de autorizaci\u00f3n y agrega el par\u00e1metro code_verifier a la solicitud de token. Antes de 2023.8.7 y 2023.10.7, es posible un escenario de degradaci\u00f3n: si el atacante elimina el par\u00e1metro code_challenge de la solicitud de autorizaci\u00f3n, authentik no realizar\u00e1 la verificaci\u00f3n PKCE. Debido a este error, un atacante puede eludir la protecci\u00f3n que ofrece PKCE, como los ataques CSRF y los ataques de inyecci\u00f3n de c\u00f3digo. Las versiones 2023.8.7 y 2023.10.7 solucionan el problema."}], "id": "CVE-2024-23647", "lastModified": "2024-02-06T18:22:58.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-30T17:15:10.913", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/goauthentik/authentik/commit/38e04ae12720e5d81b4f7ac77997eb8d1275d31a"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-mrx3-gxjx-hjqj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}